Year After 9/11, Cyberspace Door Is Still Ajar

By JOHN SCHWARTZ

Published: September 9, 2002

Sounding the alarm is not the same as paying for a deadbolt on the door. Which may explain why, despite the heightened fears of cyberterrorism and online security that followed last September's attacks in New York and Washington, few American businesses or organizations have responded with new measures to safeguard their computing systems from intruders.

Harris Miller had hoped it would be otherwise. He recalls that warning Americans about cyberterrorism and online security before Sept. 11 had been an exercise in futility.

''I felt like Sisyphus,'' said Mr. Miller, president of the the Information Technology Association of America, a trade group, adding that his pleas for greater awareness and quicker action were consistently ignored. ''Just rolling the stone up the mountain, and it kept rolling right back down again.'' For government, corporations and individuals alike, Mr. Miller said, computer security was always ''the 11th item on a 10-item list.''

Then came the attacks -- and with them, a growing sense that terrorism could happen anywhere. And anywhere included the nation's computer networks and all the critical systems that were tied to them.

''It really was a wake-up call,'' said Mario Correa, director of Internet and network security policy for the Business Software Alliance, an industry lobbying group in Washington.

Security experts predicted that their calls would finally be heeded and that corporations and governments would shore up their cyberdefenses. Some even spoke of a ''security dividend'' for the industry arising from the attacks. The International Data Group, a publisher of trade magazines, even announced a new magazine, CSO, aimed at the hoped-for legions of deep-pocketed corporate chief security officers.

So what has changed in the year since the attacks?

Not so much, actually.

The fretting, certainly, has been vocal. Companies say in survey after survey that they believe they, and the government, are still vulnerable to cyberattack. Indeed, a poll published this summer by the Business Software Alliance found that 60 percent of those who are directly responsible for their companies' network security believe that United States businesses are at risk for a major cyberattack in the next 12 months.

And a government team led by Richard A. Clarke, the White House cyberspace security adviser, has been busy on a computer security framework that is to be announced next week and is expected to spell out actions that should be taken by government, industry and even individuals to safeguard the Internet.

The fretting and frameworking, however, has not escalated into spending. Money spent on security has been flat the last year, with no turnaround imminent, said Steve Hunt, a vice president of the Giga Information Group, a high-technology analysis company.

''The security market is not going to benefit in 2002,'' he said. A survey of the customers of Sanctum Inc., a security company in Santa Clara, Calif., which said it had extensively interviewed 10 customers on the topic, showed that only three had made new Internet security moves because of the Sept. 11 attacks.

Other areas of security, like the disaster preparedness of information technology systems, have also come under increased scrutiny since Sept. 11. But, as with cybersecurity, little money has been spent. In a survey conducted for AT&T, 73 percent of those questioned said their companies had reviewed their disaster recovery planning after Sept. 11, but only one in 10 said business disaster planning had become a top priority after the attacks.

That is not particularly surprising in tight economic times, when most information technology spending has focused on incremental improvements to current systems, said Art Coviello, the chief executive of RSA Data Security, a computer network security company in Bedford, Mass. At a conference of chief information officers early this year, Mr. Coviello recalled, executives listed the top three priorities in 2002 as ''cut costs, cut costs and cut costs.''

''The next priority was to make more out of what they had,'' he said. ''The next priority after that was security.''

Part of the reason for the lack of action is a growing sense of frustration with the task of making computer systems secure, said Peter S. Tippett, the chief technology officer of Trusecure, a computer security management firm in Herndon, Va. Trying to keep up with each individual software patch and vulnerability and apply each one to every computer and network has become an all but impossible task for many organizations.

The Computer Emergency Response Team, a federally financed monitoring group and information clearinghouse at Carnegie Mellon University, identified 2,437 software vulnerabilities in 2001, but fewer than 1 percent were used in actual attacks. ''Why don't we figure out what the essential security is?'' Mr. Tippett said.

He suggested that another reason companies had not acted decisively could be a growing sense among industry experts that the threat of cyberterrorism had been overstated. He noted that although the world's computer networks are increasingly tied to critical systems like power grids and telecommunications networks, a cyberterrorism episode is unlikely to stand alone, or to be devastating in itself. Instead, he said, such an attack would probably come in conjunction with physical attacks and be meant mainly to sow confusion. He compared such a disruption to ''a snowstorm on top of an otherwise bad day.''

Still, Mr. Tippett and other security experts agree that the nation's computer networks need more effective and extensive shoring up.

Meanwhile, Bush administration officials argue that despite the lack of progress cited by others, great strides have actually been made since last September.